Native IP filtering capabilities in Windows 2000/XP

Discussion in 'other firewalls' started by Gullible Jones, Apr 1, 2015.

  1. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    [Edit: like most Windows XP features, you shouldn't use this. See my second post below for why.]

    Just something to be aware of, if for some reason you get stuck with one of these OSes. Win2k and XP do have noninteractive outbound filtering capabilities. This filtering is stateless, i.e. it will not track who started a connection. But in this case we don't really care about that - the ports we want to goodlist are closed to inbound connections by default, and we don't care much about connection state when blocking outbound traffic.

    IP Filtering.png

    This can block some reverse TCP shell connections, e.g. from a Metasploit compromise here:

    Compromised.png

    The randomly named EXE tries to connect back to Metasploit on port 4444, but the filter will silently block it. The user account is compromised, but information from it is not going anywhere unless the attacker bypasses the IP filtering. Unfortunately there are no notification windows though, nor information in the system logs as far as I can tell...

    The obvious caveats are
    1. If you run as admin, turning this stuff off is trivial to automate
    2. Escalation to SYSTEM is likewise trivial on Windows XP, so running as a limited user is not much help
    3. There's no reason an attacker couldn't have a reverse TCP shell server on port 80...

    I think it's a bit late to put this to practical use, but maybe it could be handy for people running 2000/XP virtual machines on bridged connections?
     
    Last edited: Apr 1, 2015
  2. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    So, you might have noticed, I missed something very significant above! Namely that this doesn't seem to work on Internet Explorer! If you look at the second screenshot, you'll see IE communicating to the Metasploit server over the prohibited port 8080 just fine. Well no kidding, that's the port the exploit is served on! Not sure why I didn't notice that.

    ... But, somehow, the payload binary still can't get back in touch with the reverse TCP shell server. No idea why.

    My suspicion is that this is more rubbish implemented in userspace, like SRP. In which case you shouldn't use it. Even in that case though, it seems hilariously dumb to me that it doesn't restrict IE's outbound requests. I mean, how does that even work?!

    Edit: so yeah, if for some reason you decide to make use of this feature, be warned that it doesn't affect IE. But more importantly, just don't use it.
     
  3. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    Ah, got it. The problem is that that it both implements connection tracking and only applies to inbound connections. Because, you know, this is Windows XP and it just has to assume the user is a blooming idiot. Sigh.
     
  4. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
    One would be taking a higher security risk running Internet Explorer on XP.
    If you add those ports to TCP/IP filtering (permit only) and as example use a Mozilla based
    browser you won't be able to connect to the Internet. If your also able to connect to Internet using
    those port settings and using IE browser I would be interested in how you accomplished that.

    You could harden the TCP/IP stack against DOS attacks. (Harden TCPIP Stack - SYN Flood Attacks with security
    registry key enhancements) NOTE: Use caution when editing Windows registry. (Backup)


    The XP built-in firewall cannot block outbound connections; it is only capable of blocking inbound ones.

    Many remember the Blaster worm that attacked Windows and caused much damage.
    Apparently from what I've read the worm would scan networks looking for open TCP port
    135 to exploit the RPC vulnerability. Upon success then would connect via port 4444
    and instruct users computer to launch Trivial File Transfer Protocol (tfpt) and download a
    copy of the worm, called MSBLAST.EXE, from the infected system. This executable would
    then become a new attacker and spread to other machines. Changed registry key HKLM\...\run would
    cause Blaster to run everytime the computer booted up.
     
    Last edited: Apr 2, 2015
  5. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    Thought so... but when I first started reading the OP you really got me intrigued here, wondering how that could elude me all this time. But I do still learn new things all the time even about XP. I personally think it's awesome that people like you are still exploring/experimenting like this period on legacy OS's/apps... and less important that this particular endeavor didn't yield results. Please continue in this manner because it's people like you I learn the most from in here.
     
  6. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    @luciddream

    Have to admit I'm actually kind of torn on this. My feeling is, generally, that people should upgrade to a modern OS if possible.

    On the one hand, I don't want to be offering advice on legacy systems if it encourages people to stick with those systems for the wrong reasons (and eventually get burned).

    On the other, some people are stuck with legacy OSes no matter what, and might benefit.

    Also, most modern OSes are terrible. Linux is still difficult to use, and unreliable on desktops. Windows is astonishingly bloated, and still insecure. OSX is vendor locked and absurdly expensive. There really is no good option IMO.

    But then, again: the security mechanisms in legacy OSes are also terrible. And policy is worth absolutely nothing if there is no mechanism to effectively enforce it.
     
  7. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,718
    I wouldn't even bother with outbound filtering on legacy OS. Best bet is to put it offline and use it for legacy apps.

    If there's a need to go online on a legacy OS (for trivial browsing sessions for example), just avoid doing any sensitive things like online banking or shopping on it.
     
  8. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    A lot of what you learn about Xp can be directly applied to later versions of Windows. I actually did a small study of privilege escalation and how exploits work after reading this thread. I found the hardened LUA approach to Xp that I've been using for many years made the escalation from a standard user to system a non trivial affair but not from an administrator account. I also found that there were a few holes in my system I wasn't aware of. MS updates patch executable vulnerabilities. There are many configuration vulnerabilities in a default Windows install that need to be dealt with if you want to have a LUA that really is secure. This carries over into later versions of Windows.

    Windows does have a lot of good security features that aren't implemented by default. Learning the group policy editor and security policy editor in Xp makes it much easier in the later versions of Windows. NTFS permissions are also much easier in Xp. No UAC hoops to deal with before you can change a permission.
     
  9. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    I use Sygate Pro for outbound filtering in Xp. I've used it since 2004. It still works like a champ and can be installed on top of the Windows firewall. I think the old Kerio firewall is another good choice from reading another thread on Wilders.
     
  10. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    We've been over this one already. Policy enforcement mechanisms on XP are inferior or nonexistent. The value of outbound filtering is IMO more in blocking stuff like reverse TCP shells, and interfering with the later stages of an attack that way. I suppose every little bit helps; but if your only outbound filtering is via an interactive software firewall, be aware such things can be circumvented without much trouble (especially if they lack a HIPS component).

    Overall, my experience with interactive Windows firewalls has not been good either.

    ...

    And now, a probably controversial opinion that should be taken with several grains of salt...

    I'm inclined to say that, when dealing with a network with legacy systems, setting up an inbound/outbound firewall on your gateway is a much better time investment than an interactive Windows firewall.

    a) A reasonably current Linux or BSD firewall distro will not be easily compromised by remote attack, if set up properly.

    b) If an attacker is using some oddball port for a reverse TCP shell, the gateway will deny outbound connections on that port, possibly severing the attacker's control even if they have root access on the victim machine.

    c) Knowledge of networking and UNIX OSes is IMO more likely to be useful in the future than knowledge of legacy Windows OSes, and especially of legacy desktop security apps.

    (And I know the mantra these days is that stateful firewalls alone are insufficient for security. That's true. But from what I've seen they can help quite a bit.)

    ...

    That being said, there is no substitute for caution. As @safeguy indicated above, legacy systems should not be used for anything critical.

    Edit: also, think about your network topology. IMO ethernet switches should be used, to prevent packet sniffers on XP systems from being effective. Legacy machines should never be allowed on wifi.

    (And there's probably more I haven't thought of, because I'm not that good with networking stuff.)
     
  11. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    Why would it be easier to sniff packets from an XP machine? They would all look the same from a sniffers point of view if captured by wifi. The security of a Wifi connection is dependent on the router as much as the client. If you are using a public Wifi, a VPN is highly recommended.

    I actually feel I have better control over outbound connections with Xp and Sygate than Windows 7 with the built in Firewall. Adding Windows Firewall control and setting it to the right level brings it up to around the same level but Sygate is still better at informing me of what software is trying to connect where. I'm interested in knowing what software is communicating with the outside, not in a perfect solutions.

    I take a view that Xp can be hardened to the point that it is secure in the hands of the right user. It has some advantages in its relative simplicity. As I stated earlier, I'm still finding areas to tighten in a system that has a years long track record of not being breached. When I read about most security breaches, some form of social engineering is the method of choice and succeeds in getting inside of well protected networks a lot more than attacks from the outside.
     
    Last edited: May 7, 2015
  12. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    Not from an XP machine, but on an XP machine. A compromised system can run a packet sniffer to spy on (unencrypted) traffic from systems on the same network. Ethernet switches can interfere with that.
     
  13. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    Tell me about it... And not just with OS's either, but browsers. Firefox was ideal for me but ever since introducing Australis with version 29 it's turned into a veritable nightmare of privacy erosion with each passing version. I'm still using v27.0.1, and if/when I find it's vulnerable with my setup or otherwise unusable, I honestly have no idea what I'll do, because I have good reasons not to trust anything else. I especially don't trust Chrome. I hear people talk about making forks of Firefox and whatnot... I'd sure love for it to actually get done. If so they should pick up from the version I'm on because it was all downhill from there.

    Torn on OS's too. When it actually sounds like your best option is to stick with an OS that's no longer supported you know the system is majorly flawed. I feel like I can overcome shortcomings XP has at least by stripping surface, and more-so even relying on the fact that there's less of it there in the first place. But what IS there by default is all wrong. As I go through the settings it's as if every single thing is the opposite of how I want it. That's after turning off/removing the 90% I don't even want there to begin with. Then adding the right software support.

    But with newer OS's that's not even an option. They're vulnerable and privacy unfriendly, and there's absolutely nothing you can do about it. Adding mitigation techniques is just painting over rust in that case. Given the choice I'd take the prior. Some of the problems you mention with XP seem like they're coming from the perspective of a default install, and can be remedied with the right measures. With post XP Windows OS's such measures just don't exist for a few very important problems.

    It took awhile to get acclimated to but Debian is a nice little OS. I run a setup with XP and it VM'd and they work very well & light together with the right tweaking. From a usability + privacy standpoint it's the best option I've found. I use Win7 to browse, but mainly gaming & multimedia. But wouldn't ever trust it for anything remotely sensitive. I like that it feels very much like XP, but realize every keystroke I make is being harvested for targeted ads and by fusion centers... to be used later to hang me if needed. That's a high price to pay for a stronger kernel...

    There is nothing left. I feel like I'm dangling by a thread here. Most have just given up and resigned themselves to the fact that privacy is extinct, and take it out of the equation when talking about security. While I still try to cling to what semblance of it I can. That's what keeps me using legacy OS's and apps and trying to batten the hatches as best I can.
     
  14. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    Yep. And also when I hear about such things they rely on a set of circumstances that don't apply to me. Like the existence of certain apps, services, processes that I just don't have. And even if I did my Paranoid HIPS rules and/or other measures I've taken would snuff it out anyway. Or it couldn't break out of the sandbox I have protecting everything that faces the internet. Or...

    You get the point. I would have to undo a lot of things I've done to this machine to put myself in a positioned to be compromised right now, even on a machine that hasn't seen an update in over a year. I remember when I took one of my hardened machines and tried to turn it into a test box. I kept having to peel back layer after layer to try to infect myself, test exploits correctly. Kept finding things I'd done, even after removing all my software, preventing them from working. Ended up just reformatting the machine instead eventually because it just seemed impossible. Like you say even now I learn new things about XP and apply them, and don't keep a running tab on everything I've done.
     
  15. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    If a machine was compromised and spying on network traffic within the network, the ethernet switch would make little difference. The compromised machine would be in the network and could spy on any traffic that it had access to, wired or not. If the ethernet switch was on a different subnet than the compromised machine it would make more of a difference. And Xp machines are not the only things that can be compromised in a network. These days we have all kinds of devices with all kinds of OSes and firmware using wifi.
     
  16. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
Loading...